Must 'Wearables' be HIPAA-Compliant?

Earlier this month, FitBit, Inc. announced that it had reached HIPAA compliance in regards to user-health-data it collects.
For those not in the know, FitBit, Inc. is the company that is responsible for many of the brightlty-colored and flexible bracelets, anklets, and pendants you may see your colleagues wearing throughout the work week. Within those fashion accessories are actually health monitors and pedometers, collecting data on the user’s heart rate, sleeping patterns, and number of steps taken. This information is then automatically uploaded into an app or website, when combined with other personal health characteristics (i.e. height, weight, age, gender, ethnicity, and eating patterns), can tell a user what they need to stay or get healthy. These devices are sometimes called ‘wearables’ by geeky people (i.e. me) and FitBit is merely a leader of thousands of competitors.


She cast away her apple watch for a fitbit.

The announcement concerned an offshoot of FitBit, Inc. – FitBit Wellness. And it was big news as many health care providers, insurance carriers, and workplace wellness programs have been approached by FitBit Wellness about partnering in efforts and some had grown leery of FitBit’s collection and use of what would amount to HIPAA-protected data. Now, the HIPAA compliance program will enable Fitbit Wellness to better support HIPAA-covered entities that are looking to improve the health and wellness of their members and employees. Furthermore, Fitbit will be able to expand integration opportunities with health plans and self-insured employers by its ability to enter into Business Associate Agreements with HIPAA-covered entities.
The HIPAA compliance program was not necessary for FitBit to continue to engage with much of its existing customer base. That is because FitBit was not a covered entity under HIPAA. And the data it collected from its users were not necessarily considered HIPAA-protected data by its mere existence. Rather, that data was governed by the user agreement that users undoubtedly clicked through (which I’m sure everyone read carefully) when signing-up on the website or app. However, if the FitBit device was required through a health plan or employer’s wellness program, then FitBit was collecting what was considered HIPAA-protected data. At least, HIPAA defines that data as protected healthcare information (PHI) and it was supposed to be safeguarded as appropriate.
That is what triggered this effort by FitBit to get HIPAA compliant. FitBit presently has wellness relationships with many industries and organizations, including Appirio, Boston College, Box, Houston Methodist, Indiana University Health, Sharp Healthcare, and TransUnion. It has longstanding partnerships with leading corporate wellness organizations such as StayWell, Humana and Vitality, as well as health plans including Anthem. To date, over 50 of the Fortune 500 companies across a variety of industries are Fitbit wellness customers.
What it means that Fitbit will have to implement the security controls required by the HIPAA Security Rule–but only with respect to data it is receiving from or collecting on behalf of covered entity health plans or healthcare providers.